Client Provisoning

The following minimal configuration setup is needed for each client (within a OpenID Security Domain):

Base URL

The URLs to use by the client are supplied using the Security Domain specific openid-configuration endpoint.

Client identifier

The client_id is normally supplied by Buypass. See also Client authentication.

Client credentials

The client authentication method will depend on the Security Domain and the rules and policies associated with the domain.

For example, for the BuypassID Domain, only the private_key_jwt is currently supported. Hence a certificate or public key is needed. Use of jwks_uri (se RFC 7517) may be supported at a later date for this domain.

For other domains, public keys may also be provided using a jwks_uri (se RFC 7517), enabling the client to control key-rotation independently of certificate expirations.

Finally, some domains (low risk) may allow client_secret_basic or client_secret_post with some level of self service for generating secrets

Redirect Urls

If the client intent to log on end-users (Use the OIDC Authorization Code Flow), Redirect urls must be provided by the customer/application owner.

Scopes

Depending on what services he client are intending to use (what services/APIs the client intent to send the Access Token to), the relevant scope listing must be configured. Within a Security Domain, the listing of client available scopes are set pr. client.

Authentication flow

Within a Security Domain (and for a specific type of client) a default authentication flow is defined. If the client requires another flow, this must be configured.